Re: No hope for John/Jane, since security pros are confused too. in Security http://www.dslreports.com/forum/r20349588 en Wed, 20 Aug 2008 20:29:30 EDT Wed, 20 Aug 2008 20:29:30 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20355952 mikenolan7 : Perhaps we are experiencing something akin to the Pinkertons. It is not likely that someone riding in a stagecoach with two Pinkertons felt safe that they could have a private conversation. They were willing to give up privacy for personal security. That has evolved and today we drive down the freeway next to Highway Patrol vehicles, with no concerns that they are listening in on our private conversations while they provide for our personal safety.

In the stagecoach example, someone that considered their privacy important enough provided their own security. They could be assured in their privacy to the extent that their own security provided it. It is that freedom of choice that seems to be lacking as entities move in to provide security to the masses. This probably explains the greater privacy concerns of security conscious individuals when compared with the general public. We provide for our own security, yet we anticipate the Pinkertons being forced into our stagecoach.

To be fair to those expected to provide security to the masses, we live in a world today when the actions of a few can harm many. The solution has become more difficult than the examples history provides us.]]> http://www.dslreports.com/forum/remark,20355952 Sat, 19 Apr 2008 19:18:13 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20355754 Blackbird :
said by mikenolan7 See Profile :

But how can the internet be considered to be ready to move to the level of infrastructure? The amount of malware is still expanding rapidly, the size of botnets continues to grow. Individual companies still bring in hired guns to design their security systems, or test their quality.

If we compare it to the interstate highway system and automobiles, we are still at the level of banks hiring Pinkertons to try to protect the stagecoach.
IMHO, what matters most is what popular expectations and perceptions are regarding the necessity and use of a service, not so much whether that service is as mature as other services within the infrastructure universe. That is, if enough folks perceive and act as if the Internet is part of infrastructure, regardless of the shortcomings you correctly noted, their expectations about the Internet (and their responses to malware and hacking issues) will match their perceptions and actions... and they will expect it to behave as other infrastructure.

In your stagecoach analogy, users who wanted safe delivery of themselves or their shipments expected that to be fulfilled, particularly as time went by and the service came to resemble infrastructure... and they ultimately demanded (and obtained) improved protection of that service. They didn't go out and ride shotgun themselves... they expected (and demanded) the protection be provided by the service operator - and by government. Even as stage transport evolved into rail transportation and then to autos and highways.

I'm just observing and commenting in all of this, not 'advocating'. But when folks have "infrastructure" expectations regarding services, history shows me that they'll ultimately demand providers and government step in and protect those services from attack.

And government involvement in bringing "law-and-order" to the "wild west" Internet represents both a potential blessing and curse, as I believe many of us here realize. But I'm not as convinced that the general user-public (corporate and private) will discern the curse as readily. And as they come to demand "somebody" do something to protect what they increasingly view as infrastructure (in terms of what they "need" the Internet to do for them), my concern is that government will be called to step in and be the "somebody" who "does something" - with little balanced concern for where that will lead.

I'd certainly love to be wrong about that... :(
--
If God wanted us to work with electrons, He'd make them big enough to see...]]> http://www.dslreports.com/forum/remark,20355754 Sat, 19 Apr 2008 18:24:03 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20353228 jaykaykay :
said by astirusty See Profile :


I am not sure that is proof when it comes John/Jane Doe. You obviously helped your friends. But few John/Jane Doe types:
a) have friends who can really help them with security
b) few take security seriously (as evident by all the BOTS)
c) take advantage of even free help when it is offered
The biggest issue you missed is that all too few even know that there is a security issue for their system. :(
--
JKK:-)

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay

]]> http://www.dslreports.com/forum/remark,20353228 Fri, 18 Apr 2008 21:36:21 EDT Re: Hope for John/Jane Doe http://www.dslreports.com/forum/remark,20352161 astirusty :
said by mysec See Profile :

There is too much of a defeatist notion about the plight of home users. Some people seem to take pleasure in gloating over other's misfortunes.
I can assure no gloating here. I have helped (for free) home users when the input was desired. Hell, for that matter I even helped (for free) the U.S. Government with security (clean-up & prevention).

The issue I continue to see with computer security is security types who give technical advice as if its all there is to security. As in just do A, B, C, and your security problem is resolved. Good example is the advice given here years ago (that any Unix admin already knew), don't run as administrator. Yet, guess what? People even when they know the risks still do and those who don't understand the risks, well they don't care. Of course, that technical advice also ignored the PITA aspect for John/Jane Doe user; thus most users weren't going to bother even if they did understand the risks.

The point is there is a non-technical side to security that involves aspects like: politics, psychology, feasibility, mindset, buy-in, education, and leadership.

--
Do yourself a favor, just say no to anything Windows.]]> http://www.dslreports.com/forum/remark,20352161 Fri, 18 Apr 2008 11:31:24 EDT Hope for John/Jane Doe http://www.dslreports.com/forum/remark,20351570 mysec : Yes, that is sad, but it doesn't dispute that it can be done. There is too much of a defeatist notion about the plight of home users. Some people seem to take pleasure in gloating over other's misfortunes.

Sensational headlines in the mainstream security news add fuel to the fire story, but those who take the time to help even just a few aren't influenced by all of the propaganda. If they were, nothing would get done.

Just because Mr. Brown's shoes are too tight, why should my feet hurt?

]]> http://www.dslreports.com/forum/remark,20351570 Fri, 18 Apr 2008 08:14:48 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20351379 astirusty :
said by mysec See Profile :

In my experience, John and Jane need very few security products. Proof of this is that I nor anyone I've helped over the years has ever gotten malware installed.
I am not sure that is proof when it comes John/Jane Doe. You obviously helped your friends. But few John/Jane Doe types:
a) have friends who can really help them with security
b) few take security seriously (as evident by all the BOTS)
c) take advantage of even free help when it is offered
--
Do yourself a favor, just say no to anything Windows.]]> http://www.dslreports.com/forum/remark,20351379 Fri, 18 Apr 2008 01:53:25 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20351308 mikenolan7 : But how can the internet be considered to be ready to move to the level of infrastructure? The amount of malware is still expanding rapidly, the size of botnets continues to grow. Individual companies still bring in hired guns to design their security systems, or test their quality.

If we compare it to the interstate highway system and automobiles, we are still at the level of banks hiring Pinkertons to try to protect the stagecoach.]]> http://www.dslreports.com/forum/remark,20351308 Fri, 18 Apr 2008 01:20:59 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20351291 mysec : This seems more oriented to IT environments, but since John and Jane are mentioned, I will say that I and a few friends who help home users would disagree that there is no hope for John/Jane.

Speaking from a home user's point of view, IMO computer security is made out to be more complicated than need be.

There are two principal ways malware gets installed,

1) By remote code execution

2) By user being tricked into installing something malicious

The first is the easiest to deal with:

==> firewall

==> some method of preventing installation of unauthorized executables; there are a number of White List solutions available.

The second is more problematical, since it involves the user making a decision. No security product will be reliable, as the "Beware Fake Codecs" thread points out.

The Sunbelt link in the Google Groups thread is another example of people being enticed to click. Again, no security product will be reliable.

In my experience, John and Jane need very few security products. Proof of this is that I nor anyone I've helped over the years has ever gotten malware installed.

]]> http://www.dslreports.com/forum/remark,20351291 Fri, 18 Apr 2008 01:14:11 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20351134 Blackbird : Schneier makes a very insightful point in the article:
For a while now I have predicted the death of the security industry. Not the death of information security as a vital requirement, of course, but the death of the end-user security industry that gathers at the RSA Conference. When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers.


Whether he's right or not about the "death" of the end-user security industry is not my real point. What stands out to me is his implication that the Internet is in process of finally joining the "infrastructure" - at least, to a great many users. That perception changes expectations and it changes what people are willing to do themselves in order to use the infrastructure to simply "get things done." And IMHO it will eventually change how the industry deals with meaningful security - a key question being: how long is "eventually"?

However, this infrastructure perception sets up a growing tension between the evolving "bundling" thrust and the issues of monopoly/anti-trust. Referring to Schneier's car analogy, in the auto industry when car companies do the bundling, developers of innovative concepts have to sell their ideas to the car companies... and, if successfully "sold", the car companies demand a wide variety of tight specifications, cost controls, and delivery commitments from a developer for whatever he supplies. The end customer only deals with the end results - the car - which will hopefully be successful. But a major problem arises if there's only one major company selling the end product(s), be it cars or software. One only need observe the near-daily criticism, justifiable or not, occurring every time Microsoft absorbs some innovative development-house or adds a "feature" previously only available independently of Microsoft to get a sense of how much of a hot-button issue that is.

Somewhere out there in the space-time continuum, growing 'infrastructure' expectations are going to collide head-on with anti-monopoly sentiments. That should prove... uhm... "interesting".
--
If God wanted us to work with electrons, He'd make them big enough to see...]]> http://www.dslreports.com/forum/remark,20351134 Fri, 18 Apr 2008 00:28:18 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20350455 mikenolan7 : It's not just at work that highly educated corporate end-users have that point of view. I would constantly warn friends at work about the dangers of their home computing habits, and they would look at me like I was nuts.

"Stop visiting those porn sites and doing your banking on the same machine. No, your default configured NAT router will not protect you with those habits."

"You're too paranoid."]]> http://www.dslreports.com/forum/remark,20350455 Thu, 17 Apr 2008 20:51:06 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20350411 astirusty :
said by La Luna See Profile :

The corporate/enterprise world may be a little different, but I'd bet the mindset is pretty much the same....make it work, make it absolutely secure....but don't inconvenience us.
Based on my experience your close, as in: ... mindset is pretty much the same....make it work, ...but don't inconvenience us.
Oh wait your talking about the corporate security experts point of view. I was thinking about the corporate end-users point of view. ;)

Most of the corporate end-users I knew simply did not give _____ about security and I am talking about highly educated people with Masters or PHDs in Math, Science, Geology, etc. The exception was when some security policy caused them extra effort. Forget UAC type stuff, were talking basic stuff like having to change their passwords every 60 days or being logged out due to inactivity.
--
Do yourself a favor, just say no to anything Windows.]]> http://www.dslreports.com/forum/remark,20350411 Thu, 17 Apr 2008 20:38:47 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20350227 mikenolan7 : It's still more fun being multi-lingual. I can be, and have been, owned in several different OS's. It keeps life interesting. They say an expert is someone who's made every mistake already, and I'm determined to do that in a hurry!]]> http://www.dslreports.com/forum/remark,20350227 Thu, 17 Apr 2008 19:59:07 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20350013 SUMware :
said by La Luna See Profile :

said by SUMware See Profile :

Heh. How's things with your 'Linux Mint' install?
Ok. Still a learning curve. :o
Yep, understand.
Went through it myself, as with anything new. Still am, and enjoying the process. :)

Congrats on giving it a try!]]> http://www.dslreports.com/forum/remark,20350013 Thu, 17 Apr 2008 19:21:42 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20349942 La Luna :
said by SUMware See Profile :

Heh. How's things with your 'Linux Mint' install?
Ok. Still a learning curve. :o]]> http://www.dslreports.com/forum/remark,20349942 Thu, 17 Apr 2008 19:07:46 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20349891 Steve :
said by SUMware See Profile :

It is with Linux. ;)
Having BIND and sendmail *cough* sorry nwrickert See Profile :-) *cough* on my systems makes me feel so warm and safe...]]> http://www.dslreports.com/forum/remark,20349891 Thu, 17 Apr 2008 18:56:39 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20349820 Name Game :
said by SUMware See Profile :

Yes. In an MS dominated world, support by businesses for consumers choosing to use Linux is not necessarily encouraged.
I don't either..too many friends got their accounts cleaned out that I know..even 4 years ago friends who live in Brasil got their Desktop PC in Sao Paulo compromised and their entire savings account whacked by thieves working out of an internet cafe in Rio with just one floppy disk of trojans. At first the bank accused my friends that it was their fault..and even possible one of their kids did it..in the end I helped them track it all down and prove how it really happened..we even uncovered in the gang they had inside help at some of the branches to cover their tacks. :(
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net
]]> http://www.dslreports.com/forum/remark,20349820 Thu, 17 Apr 2008 18:42:58 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20349742 SUMware : Yes. In an MS dominated world, support by businesses for consumers choosing to use Linux is not necessarily encouraged.]]> http://www.dslreports.com/forum/remark,20349742 Thu, 17 Apr 2008 18:28:48 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20349710 Name Game :
said by SUMware See Profile :

said by Name Game See Profile :

Security isn't free
It is with Linux. ;)
You can take that to the bank :D ;)

»techrepublic.com.com/5208-6230-0···&start=0

»forums.fedoraforum.org/archive/i···211.html

»www.google.com/search?hl=en&q=li···e+Search
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net
]]> http://www.dslreports.com/forum/remark,20349710 Thu, 17 Apr 2008 18:21:49 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20349687 SUMware : Heh. How's things with your 'Linux Mint' install?]]> http://www.dslreports.com/forum/remark,20349687 Thu, 17 Apr 2008 18:16:18 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20349588 La Luna :
said by SUMware See Profile :

said by Name Game See Profile :

Security isn't free
It is with Linux. ;)
ahhh, shaddup. :D ;)]]> http://www.dslreports.com/forum/remark,20349588 Thu, 17 Apr 2008 18:01:42 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20349517 SUMware :
said by Name Game See Profile :

Security isn't free
It is with Linux. ;)]]> http://www.dslreports.com/forum/remark,20349517 Thu, 17 Apr 2008 17:49:37 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20349507 La Luna : There's also the issue of "convenience" for John/Jane Home Users. People want secure, out of the box, but they don't want to be, in any way, shape or form, inconvienced by it. UAC is sort of a case in point. Having to click through a couple of boxes is too inconvenient, as we've seen posted on these forums many times. They'd rather disable UAC.

The corporate/enterprise world may be a little different, but I'd bet the mindset is pretty much the same....make it work, make it absolutely secure....but don't inconvenience us.

So what is a developer of a security app, or even MS, to do when the end users want to have their cake and eat it too?
--
10,925 DEADLY TERROR ATTACKS SINCE 9/11~~TEAM DISCOVERY
Can't feel you anymore, don't need you anymore, don't believe you anymore, I don't need you anymore
]]> http://www.dslreports.com/forum/remark,20349507 Thu, 17 Apr 2008 17:47:19 EDT Re: No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20349299 Name Game : One of our members posted this today in his new blog..and I think he will permit me to post some of it here since i think it ties into that which you thought was important to highlight..

Blake
Link Logger
»www2.dslreports.com/profile/356416

Blogging from Microsoft MVP Summit Conference 2008
April 16, 2008 18:04

»www.spearpoint.ca/blog/post/MVP-···Two.aspx

"The rest of the afternoon was spent discussing the current state of the art and future of security coding tools and practices. Certainly this discussion has got me doing some thinking as I'm not really sure I agreed with what was said by some of the other people, but we obviously have different objectives and requirements which in itself highlights a problem within this area. Not everyone wants the same thing,nor has the same expectations, budget etc. I get the Threat Modeling, the use of techniques to detect potential SQL Injection issues, Fuzzing etc, but my objective is to secure the applications built by smaller companies who don't have the Threat Modeling experts,Tools and such that large ISVs and Enterprises might be able to afford. In some ways I'm the guy who is looking for the 80% solution for the 20% cost that pretty well any company can implement no matter how big or small. I'm not asking a company to get perfect security as I know that isn't possible or feasible, but really when it comes to security you just don't want to be the low hanging fruit. One person I was talking to agreed with me and described it as being chased by a bear, you don't need to be the fastest man on earth, just faster then the other guy. I must admit I'm a little wary of automated testing tools as a silver bullet, I've seen them come and go, and while they might have been able to offer some direction or suggest areas to investigate, they were never silver bullets. I guess I'm looking to just start by educating developers about the dangers and the simple techniques and tools to help get them going in the right direction. The journey of a thousand miles starts with a single step sort of thing and some of the solutions discussed in my opinion are more then a single step and more like having a rocket pack which is great if you got the dough to buy one, otherwise your hooped. Now to be fair Microsoft wasn't suggesting these big ticket complex systems, but other people in the room were and again for their clients these might be great, but one size defiantly doesn't fit all here."

"We had diner tonight with Michael O'Neill, liked the guy right off as he has two L's in his last name. We talked about the challenges facing the Developer Security group and while I'm thrilled to be in this group, I'm wondering if perhaps I should have thought about it a little more before coming over. When I was in the Windows Security group we pounded on the Microsoft Windows guys and they did something as Microsoft didn't give them much choice but to make it so, Microsoft accepted they had a problem and they had to do something to fix it as it wasn't going to go away on its own. In the Developer Security group we are dealing with third party developers working on third party applications so Microsoft just can't hammer them into action, so we will need to provide them with the guidance, tools, education, and provide them with the information required to motivate themselves. This will be a challenge to start with as frankly there are all sorts of reasons (none of them good) for resisting change. Security isn't free and it requires change, and given that most dev shops are already underfunded and overworked this change isn't going to come easily (frankly I think that most development shops have serious personal problems as frankly I don't think developers are enjoying their jobs anymore as far too many shops have become little more then sweat shops, because of increasing expectations, falling employment numbers, etc). I sometimes wonder if third parties will need to experience the intense pain that Microsoft felt in the past to motivate them to make security a priority worthy of investment of enough resources and budget to elevate their game to an acceptable level. Michael is putting a lot of thought into how Microsoft can help external developers and I think he has a pretty good group of very diverse people in his MVP group to help him achieve this goal and plus I love a really good challenge to test my belief that this is really is the 'next' big issue in security.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net
]]> http://www.dslreports.com/forum/remark,20349299 Thu, 17 Apr 2008 15:37:28 EDT No hope for John/Jane, since security pros are confused too. http://www.dslreports.com/forum/remark,20349282 astirusty : An article by Bruce Schneier predicting RSA Conference Will Shrink Like a Punctured Balloon has an interesting statement about security products:
The booths are filled with broad product claims, meaningless security platitudes and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused.
And Bruce hits on one issue of security when it comes to John/Jane consumer/user, that some security pros fail to recognize.
No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference.
Emphasis added in Bold.

And for those here who just "LOVE" car analogies...
Imagine if the inventor of antilock brakes -- or any automobile safety or security feature -- had to sell them directly to the consumer. It would be an uphill battle convincing the average driver that he needed to buy them; maybe that technology would have succeeded and maybe it wouldn't. But that's not what happens. Antilock brakes, airbags and that annoying sensor that beeps when you're backing up too close to another object are sold to automobile companies, and those companies bundle them together into cars that are sold to consumers.

--
Do yourself a favor, just say no to anything Windows.]]> http://www.dslreports.com/forum/remark,20349282 Thu, 17 Apr 2008 15:07:52 EDT